China to impose security check on infrastructure IT procurement
BEIJING — China will next month require operators of public infrastructure such as telecommunications and transport to undergo a security review of their suppliers when they procure servers and other information technology equipment.
The requirement is aimed at preventing disruptions in the supply of IT equipment as a result of political, diplomatic and other developments, according to the Chinese government. But foreign companies may be shut out of procurement as a result.
The government also plans to limit the use of customer data by foreign companies as it is reinforcing its “China first” policy at a time when U.S. President Donald Trump is lashing out at China more strongly than ever.
China will put a new law into force on June 1 under its Cybersecurity Law in force since 2017. It will require telecommunications, transport, finance and other public infrastructure operators planning to procure IT equipment to submit contracts and results of analyzed risks, including those related to national security, to the government for prior examination.
Although the details of the examination are unknown, the government said it will check the risk of supply disruptions caused by political, diplomatic and trade issues.
The new law will apply to companies managing information on public infrastructure indispensable for the people’s daily lives, such as telecom and information services, energy, traffic, finance and public services. Devices and services subject to the review will include personal computers, servers, network equipment and cloud services.
Foreign tech giants operating in China like HP and Dell Technologies could find themselves being excluded from the list of eligible suppliers for Chinese infrastructure companies. Some observers say Japanese companies will also be subject to the new restrictions.
According to the sources familiar with the matter, the Ministry of Industry and Information Technology and others started to make a list of recommended companies and products for government procurement one or two years ago. Unless listed, local governments and state-owned enterprises in principle cannot procure from those companies and products.
Personal computers and printers, including multi-function printers, are on the list. Conditions to be considered are whether the companies manufacture the products in China and if the ratio of shares they hold in a local company is below a certain percentage.
The Chinese government has ostensibly claimed that foreign companies are welcome to enter its market and has not officially announced the existence of such a list. Therefore, some foreign companies started to raise concerns, saying any use of such a document amounts to “a move to push foreign companies out of China in a vague way.”
The new security review rules requiring companies buying networking products to perform cybersecurity evaluations for vulnerabilities that could affect national security will basically cover hardware. But China plans to impose similar regulatory control over data. Beijing may start implementing administrative regulations related to the Cybersecurity Law to protect sensitive data and personal information.
The regulations will set basic rules concerning how businesses should deal with personal data obtained in China and restrict the transfer of such data overseas.
The measures may ban foreign companies operating in China from transferring their customer information out of China without obtaining permission from authorities or require them to submit such information when requested. That means foreign companies will probably have to create special information infrastructure for their Chinese operations separate from the systems used by their headquarters at home.
Chinese President Xi Jinping’s administration is clearly stepping up its efforts to develop unique homegrown supply chains for both IT equipment and data.
Under its “Made in China 2025” policy initiative, unveiled in 2015, the Xi administration pledged to promote domestic production of IT products, while the Cybersecurity Law has established guiding principles for restricting foreign companies’ use of data acquired in China.
The coronavirus pandemic is negatively affecting global supply chains. If China shuts out U.S. companies by tightening restrictions on procurement of information communications and data, it could further intensify anti-Chinese sentiment in the U.S. It could also affect the outcome of the U.S. presidential election in terms of the China policy of President Donald Trump, who is becoming increasingly critical of the country.